Skip to site navigation (Press enter)

[webkit-changes] [249026] trunk

said Thu, 22 Aug 2019 14:15:05 -0700

Title: [249026] trunk

Revision: 249026
Author: s...@apple.com
Date: 2019-08-22 14:13:38 -0700 (Thu, 22 Aug 2019)

Log Message

Crash may happen when an SVG <feImage> element references the root <svg> element
https://bugs.webkit.org/show_bug.cgi?id=201014


Reviewed by Ryosuke Niwa.

Source/WebCore:

When an <feImage> references an <svg> element as its target image but
this <svg> element is also one of the ancestors of the <feImage>, the
parent <filter> should not be applied.

Test: svg/filters/filter-image-ref-root.html

* svg/SVGFEImageElement.cpp:
(WebCore::SVGFEImageElement::build const):

LayoutTests:

Ensure the cyclic reference between the <feImage> renderer and its
ancestor <svg> root renderer is broken.

* svg/filters/filter-image-ref-root-expected.txt: Added.
* svg/filters/filter-image-ref-root.html: Added.

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/svg/SVGFEImageElement.cpp

Added Paths

trunk/LayoutTests/svg/filters/filter-image-ref-root-expected.txt
trunk/LayoutTests/svg/filters/filter-image-ref-root.html

Diff

Modified: trunk/LayoutTests/ChangeLog (249025 => 249026)


--- trunk/LayoutTests/ChangeLog	2019-08-22 19:25:48 UTC (rev 249025)
+++ trunk/LayoutTests/ChangeLog	2019-08-22 21:13:38 UTC (rev 249026)
@@ -1,3 +1,16 @@
+2019-08-22  Said Abou-Hallawa  <sabouhall...@apple.com>
+
+        Crash may happen when an SVG <feImage> element references the root <svg> element
+        https://bugs.webkit.org/show_bug.cgi?id=201014
+
+        Reviewed by Ryosuke Niwa.
+
+        Ensure the cyclic reference between the <feImage> renderer and its
+        ancestor <svg> root renderer is broken.
+
+        * svg/filters/filter-image-ref-root-expected.txt: Added.
+        * svg/filters/filter-image-ref-root.html: Added.
+
 2019-08-22  Tim Horton  <timothy_hor...@apple.com>
 
         Rebaseline some editing tests after r248974

Added: trunk/LayoutTests/svg/filters/filter-image-ref-root-expected.txt (0 => 249026)


--- trunk/LayoutTests/svg/filters/filter-image-ref-root-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/svg/filters/filter-image-ref-root-expected.txt	2019-08-22 21:13:38 UTC (rev 249026)
@@ -0,0 +1,2 @@
+This test passes if it does not crash.
+

Added: trunk/LayoutTests/svg/filters/filter-image-ref-root.html (0 => 249026)


--- trunk/LayoutTests/svg/filters/filter-image-ref-root.html	                        (rev 0)
+++ trunk/LayoutTests/svg/filters/filter-image-ref-root.html	2019-08-22 21:13:38 UTC (rev 249026)
@@ -0,0 +1,21 @@
+<!DOCTYPE html>
+<style>
+    ::selection {
+        background-color: lime;
+    }
+</style>
+<body>
+    <svg id="svgx" filter="url(#filter)">
+        <filter id="filter">
+            <feImage xlink:href=""
+        </filter>
+        <text id="text">This test passes if it does not crash.</text>
+    </svg>
+    <script>
+        if (window.testRunner)
+            testRunner.dumpAsText(true);
+        window.addEventListener('load', (event) => {
+            document.getSelection().setBaseAndExtent(text, 0, text, 1);
+        });
+    </script>
+</body>

Modified: trunk/Source/WebCore/ChangeLog (249025 => 249026)


--- trunk/Source/WebCore/ChangeLog	2019-08-22 19:25:48 UTC (rev 249025)
+++ trunk/Source/WebCore/ChangeLog	2019-08-22 21:13:38 UTC (rev 249026)
@@ -1,3 +1,19 @@
+2019-08-22  Said Abou-Hallawa  <sabouhall...@apple.com>
+
+        Crash may happen when an SVG <feImage> element references the root <svg> element
+        https://bugs.webkit.org/show_bug.cgi?id=201014
+
+        Reviewed by Ryosuke Niwa.
+
+        When an <feImage> references an <svg> element as its target image but
+        this <svg> element is also one of the ancestors of the <feImage>, the
+        parent <filter> should not be applied.
+
+        Test: svg/filters/filter-image-ref-root.html
+
+        * svg/SVGFEImageElement.cpp:
+        (WebCore::SVGFEImageElement::build const):
+
 2019-08-22  Ryosuke Niwa  <rn...@webkit.org>
 
         Make ImageBuffer and SVG's FilterData isoheap'ed

Modified: trunk/Source/WebCore/svg/SVGFEImageElement.cpp (249025 => 249026)


--- trunk/Source/WebCore/svg/SVGFEImageElement.cpp	2019-08-22 19:25:48 UTC (rev 249025)
+++ trunk/Source/WebCore/svg/SVGFEImageElement.cpp	2019-08-22 21:13:38 UTC (rev 249026)
@@ -185,6 +185,11 @@
 {
     if (m_cachedImage)
         return FEImage::createWithImage(filter, m_cachedImage->imageForRenderer(renderer()), preserveAspectRatio());
+
+    auto target = SVGURIReference::targetElementFromIRIString(href(), treeScope());
+    if (isDescendantOrShadowDescendantOf(target.element.get()))
+        return nullptr;
+
     return FEImage::createWithIRIReference(filter, treeScope(), href(), preserveAspectRatio());
 }

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes